Under the Radar: USB Vulnerability.

We think a lot about anti-virus, spam filters, phishing attempts, spyware, firewalls, complex passwords, and countless other cybersecurity measures and concerns. But what many of us rarely think about are the USB devices we’re plugging into our computers on a daily basis, giving these devices direct and often unfettered access to the soft underbellies of our computer systems.

Consider this: You’re walking outside your home or workplace when you spy a tattered-looking USB flash drive on the sidewalk. Hmmm. You pick it up and bring it inside. Answer me honestly – would you plug it into your computer to see what it holds? I think the average person’s answer would be “yes.” I know that I personally would be highly tempted to check it out, against my better judgement.

The truth is that USB connections, while ubiquitous and useful, are also a means by which a cybercrook can wreak some serious havoc on your computer and information security. As Norton explains:

What Can a “Bad” USB Stick Do?

A malicious device can install malware such as backdoor Trojans, information stealers and much more. They can install browser hijackers that will redirect you to the hacker’s website of choice, which could host more malware, or inject adware, spyware or greyware onto your computer.

And did you think that only USB flash drives are a threat? Think again:

It is well known that USB drives can be dangerous. Companies run strict screening policies and it has long been known that running unknown ‘exe’ files is a bad idea. But what if the threat was undetectable, unfixable and could be planted into any USB device be it a USB drive, keyboard, mouse, web camera, printer, even smartphone or tablet? Well this nightmare scenario just became reality….

…To demonstrate this the researchers created malware called ‘BadUSB’. It can be installed on any USB device and take complete control over any PC to which it connects. This includes downloading and uploading files, tracking web history, adding infected software into installations and even controlling the keyboard so it can type commands.

“It can do whatever you can do with a keyboard, which is basically everything a computer does,” explains Nohl in an interview with Wired.

As you can see, USB threats are serious business. If an infected device gets plugged into your computer, you can kiss your security goodbye.

DEFENSE AGAINST THE DARK USB ARTS

Thankfully, there is one very safe and effective way to avoid USB apocalypse – Don’t plug unknown devices into your machine, as Norton explains:

Don’t plug unknown flash drives into your computer- this is one of the most important pieces of advice you should follow. This is a tactic used in social engineering, where the attacker relies on the curiosity of people. If you see a USB stick lying out in open, public places, do NOT plug it into your computer to see what’s on it.

Curiousity is a powerful thing. Cybercrooks use predictable human reactions like this to their advantage. Don’t be predictable – if you find a USB device lying around and you have no clue where it came from or who owned it last, then don’t plug it in. Dip it bronze instead and mount it on your desk as a symbol of USB security (I’m only half-kidding).

Norton offers further guidance on USB security:

Use secure USB drives. Some newer models have safety features such as fingerprint authentication that help protect the device from hackers.

Don’t use the same flash drives for home and work computers, as you could run the risk of cross contaminating your computers.

Be careful where you purchase your USB drives from, as some shady third party manufacturers are known to manufacture these devices with malware on them. Always buy your flash drives from reputable, well known manufacturers as well as sellers.

Keep the software on your computer up to date. No one likes to do them, but software updates are crucial to the security of your computer, as they patch known vulnerabilities.

Make sure to keep your Internet security software up to date. In the event you accidentally use a device that contains malware, you’re protected. If you don’t have Internet security software, you should get it, as it can protect you from a host of issues other than just USB malware.

In the enterprise environment – where the stakes are much higher – it’s not even enough to train users on suspicious USB devices. If a determined crook is after your organization, they’ll find a way to slip something in undetected. In this case, it’s best to block all USB storage devices by default, instead requiring explicit approval from an Administrator to unblock and use. This protects systems from unknown devices that might carry malicious software and while allowing IT security teams to inspect devices for security concerns prior to usage within the enterprise environment.